Skip to content

Commit

Permalink
ngtcp2 1.4.0 payload fixups
Browse files Browse the repository at this point in the history
.xz binary is up, use that insead of .bz2.

It looks like the new GPG key is a subkey, which needs the old parent
key as well, for gpg to pass verification. Otherwise a
'Can't check signature: No public key' error is seen.

It also looks like the new keys are only available throught the
Ubuntu keyserver, which isn't the primary one we're using. Solve this
by using a direct link to download these from Ubuntu. This also needs
restoring the direct key download logic deleted earlier:

revert dee8952: _dl.sh: drop support for downloading keys from urls

Also delete redundant `--max-time` options when direct downloading keys.
`my_curl` already adds this option.
  • Loading branch information
vszakats committed Mar 18, 2024
1 parent 10dc967 commit fd37654
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 8 deletions.
22 changes: 15 additions & 7 deletions _dl.sh
Original file line number Diff line number Diff line change
Expand Up @@ -108,11 +108,11 @@ cat <<EOF
},
{
"name": "ngtcp2",
"url": "https://github.com/ngtcp2/ngtcp2/releases/download/v{ver}/ngtcp2-{ver}.tar.bz2",
"sig": "https://github.com/ngtcp2/ngtcp2/releases/download/v{ver}/ngtcp2-{ver}.tar.bz2.asc",
"url": "https://github.com/ngtcp2/ngtcp2/releases/download/v{ver}/ngtcp2-{ver}.tar.xz",
"sig": "https://github.com/ngtcp2/ngtcp2/releases/download/v{ver}/ngtcp2-{ver}.tar.xz.asc",
"redir": "redir",
"tag": ".+",
"keys": "516B622918D15C478AB1EA3A5339A2BE82E07DEC"
"keys": "https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&exact=on&search=0x27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&exact=on&search=0xF4F3B91474D1EB29889BD0EF7E8403D5D673C366"
},
{
"name": "wolfssl",
Expand Down Expand Up @@ -373,7 +373,7 @@ check_dl() {
if [ ! -s pkg.sig ]; then
>&2 echo "! ${name}: Verify: Failed (Signature expected, but missing)"
elif grep -a -q -F 'BEGIN SSH SIGNATURE' pkg.sig; then
[[ "${key}" = 'https://'* ]] && key="$(my_curl --max-time 60 "${key}")"
[[ "${key}" = 'https://'* ]] && key="$(my_curl "${key}")"
exec 3<<EOF
${key}
EOF
Expand All @@ -385,7 +385,11 @@ EOF
fi
else
for key in ${keys}; do
gpg_recv_key "${key}" >/dev/null 2>&1
if [[ "${key}" = 'https://'* ]]; then
my_curl "${key}" | my_gpg --quiet --import >/dev/null 2>&1
else
gpg_recv_key "${key}" >/dev/null 2>&1
fi
done

if my_gpg --verify-options show-primary-uid-only --verify pkg.sig pkg.bin >/dev/null 2>&1; then
Expand Down Expand Up @@ -613,14 +617,18 @@ live_dl() {
>&2 echo "! ${name}: Verify: Failed (Signature expected, but missing)"
exit 1
elif grep -a -q -F 'BEGIN SSH SIGNATURE' pkg.sig; then
[[ "${key}" = 'https://'* ]] && key="$(my_curl --max-time 60 "${key}")"
[[ "${key}" = 'https://'* ]] && key="$(my_curl "${key}")"
exec 3<<EOF
${key}
EOF
ssh-keygen -Y check-novalidate -n 'file' -f /dev/fd/3 -s pkg.sig < pkg.bin || exit 1
else
for key in ${keys}; do
gpg_recv_key "${key}"
if printf '%s' "${key}" | grep -q -a '^https://'; then
my_curl "${key}" | my_gpg --quiet --import 2>/dev/null
else
gpg_recv_key "${key}"
fi
done
my_gpg --verify-options show-primary-uid-only --verify pkg.sig pkg.bin || exit 1
fi
Expand Down
2 changes: 1 addition & 1 deletion _versions.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ export NGHTTP2_HASH=625d6c3da1d9ca4fd643a638256431ae68fd1901653b2a61a245eea7b261
export NGHTTP3_VER_='1.2.0'
export NGHTTP3_HASH=d2e216bae7bd7362f850922e4237a5caa204853b3594b22adccab4c1e1c1d1aa
export NGTCP2_VER_='1.4.0'
export NGTCP2_HASH=70b647144fe258c18763a87130750d0b5ec61ba5cb9a2cd2eb6eef70108594c3
export NGTCP2_HASH=b5d1433b9f5c06ce249e1e390e97dcfa49bf7ada5cb7c8bed8e6cd4feaf1ca4a
export WOLFSSL_VER_='5.6.6'
export WOLFSSL_HASH=3d2ca672d41c2c2fa667885a80d6fa03c3e91f0f4f72f87aef2bc947e8c87237
export MBEDTLS_VER_='3.5.2'
Expand Down

0 comments on commit fd37654

Please sign in to comment.